CISSP

2. Concepts (10)
CIA
DAD - NEGATIVE - (disclosure alteration and destruction)
Confidentiality - prevent unauthorized disclosure, need to know,
and least privilege. assurance that information is not disclosed to
unauthorized programs, users, processes, encryption, logical and
physical access control,
Integrity - no unauthorized modifications, consistent data,
protecting data or a resource from being altered in an unauthorized
fashion
Availability - reliable and timely, accessible, fault tolerance and
recovery procedures, WHEN NEEDED
IAAA – requirements for accountability
Identification - user claims identity, used for user access control
Authentication - testing of evidence of users identity
Accountability - determine actions to an individual person
Authorization - rights and permissions granted
Privacy - level of confidentiality and privacy protections
Risk (12)
Not possible to get rid of all risk.
Get risk to acceptable/tolerable level
Baselines – minimum standards
ISO 27005 – risk management framework
Budget – if not constrained go for the $$$
Responsibilities of the ISO (15)
Written Products – ensure they are done
CIRT – implement and operate
Security Awareness – provide leadership
Communicate – risk to higher management
Report to as high a level as possible
Security is everyone’s responsibility
Control Frameworks (17)
Consistent – approach & application
Measurable – way to determine progress
Standardized – all the same
Comprehension – examine everything
Modular – to help in review and adaptive. Layered, abstraction
Due Care Which means when a company did all that it could have
reasonably done to try and prevent security breach / compromise /
disaster, and took the necessary steps required as
countermeasures / controls (safeguards). The benefit of "due care"
can be seen as the difference between the damage with or without
"due care" safeguards in place. AKA doing something about the
threats, Failing to perform periodic security audits can result in the
perception that due care is not being maintained
Due Diligence means that the company properly investigated all of
its possibly weaknesses and vulnerabilities AKA understanding the
threats
Intellectual property laws (24)
Patent - grants ownership of an invention and provides enforcement
for owner to exclude others from practicing the invention. After 20
years the idea is open source of application
Copyright protects the expression of ideas but not necessarily the
idea itself ex. Poem, song @70 years after author dies
Trade Secret - something that is propriety to a company and
important for its survival and profitability (like formula of Coke or
Pepsi) DON’T REGISTER – no application
Trademarks - words, names, product shape, symbol, color or a
combination used to identify products and distinguish them from
competitor products (McDonald’s M) @10 years
Wassenaar Arrangement (WA) – Dual use goods & trade,
International cryptographic agreement, prevent destabilizing
Computer Crimes – loss, image, penalties
Regulations
SOX, Sarbanes Oxley, 2002 after ENRON and World Online
debacle Independent review by external accountants.
Section 302: CEO’s CFO’s can be sent to jail when information they
sign is incorrect. CEO SIGN
Section 404 is the about internal controls assessment: describing
logical controls over accounting files; good auditing and information
security.
Corporate Officer Liability (SOX)
- Executives are now held liable if the organization they
represent is not compliant with the law.
Negligence occurs if there is a failure to implement recommended
precautions, if there is no contingency/disaster recovery plan, failure
to conduct appropriate background checks, failure to institute
appropriate information security measures, failure to follow policy or
local laws and regulations.
COSO – framework to work with Sarbanes-Oxley 404 compliance
European laws: TREADWAY COMMISSION
Need for information security to protect the individual.
Privacy is the keyword here! Only use information of individuals for
what it was gathered for
(remember ITSEC, the European version of TCSEC that came from
the USA/Orange Book, come together in Common Criteria, but there
still is some overlap)
• strong in anti-spam and legitimate marketing
• Directs public directories to be subjected to tight controls
• Takes an OPT-IN approach to unsolicited commercial
electronic communications
• User may refuse cookies to be stored and user must be
provided with information
• Member states in the EU can make own laws e.g.
retention of data
COBIT – examines the effectiveness, efficiency, confidentiality,
integrity, availability, compliance, and reliability of high level control
objectives. Having controls, GRC heavy auditing, metrics, regulated
industry
Data Breaches (27)
Incident – an event that has potential to do harm
Breach – incident that results in disclosure or potential disclosure
of data
Data Disclosure – unauthorized acquisition of personal
information
Event – Threat events are accidental and intentional exploitations
of vulnerabilities.
Laws (28)
ITAR, 1976. Defense goods, arms export control act
FERPA – Education
GLBA, Graham, Leach, Bliley; credit related PII (21)
ECS, Electronic Communication Service (Europe); notice of
breaches
Fourth Amendment - basis for privacy rights is the Fourth
Amendment to the Constitution.
1974 US Privacy Act - Protection of PII on federal databases
1980 Organization for Economic Cooperation and
Development (OECD) - Provides for data collection,
specifications, safeguards
1986 (amended in 1996) US Computer Fraud and Abuse Act -
Trafficking in computer passwords or information that causes a
loss of $1,000 or more or could impair medical treatment.
1986 Electronic Communications Privacy Act - Prohibits
eavesdropping or interception w/o distinguishing private/public
Communications Assistance for Law Enforcement Act
(CALEA) of 1994 - amended the Electronic Communications
Privacy Act of 1986. CALEA requires all communications carriers
to make wiretaps possible for law enforcement with an
appropriate court order, regardless of the technology in use.
1987 US Computer Security Act - Security training, develop a
security plan, and identify sensitive systems on govt. agencies.
1991 US Federal Sentencing Guidelines - Responsibility on
senior management with fines up to $290 million. Invoke prudent
man rule. Address both individuals and organizations
1996 US Economic and Protection of Propriety
Information Act - industrial and corporate espionage
1996 Health Insurance and Portability Accountability Act
(HIPPA) – amended
1996 US National Information Infrastructure Protection
Act - Encourage other countries to adopt similar framework.
Health Information Technology for Economic and Clinical
Health Act of 2009 (HITECH) - Congress amended HIPAA by
passing this Act. This law updated many of HIPAA’s privacy and
security requirements. One of the changes is a change in the way
the law treats business associates (BAs), organizations who
handle PHI on behalf of a HIPAA covered entity. Any relationship
between a covered entity and a BA must be governed by a
written contract known as a business associate agreement
(BAA). Under the new regulation, BAs are directly subject to
HIPAA and HIPAA enforcement actions in the same manner as a
covered entity. HITECH also introduced new data breach
notification requirements

3. .Ethics (33)
Just because something is legal doesn’t make it right.
Within the ISC context: Protecting information through CIA
ISC2 Code of Ethics Canons
- Protect society, the commonwealth, and the
infrastructure.
- Act honorably, honestly, justly, responsibly, and legally.
- Provide diligent and competent service to principals.
- Advance and protect the profession.
Internet Advisory Board (IAB)
Ethics and Internet (RFC 1087)
Don’t compromise the privacy of users. Access to and use of
Internet is a privilege and should be treated as such
It is defined as unacceptable and unethical if you, for example, gain
unauthorized access to resources on the internet, destroy integrity,
waste resources or compromise privacy.
Business Continuity plans development (38)
- Defining the continuity strategy
- Computing strategy to preserve the elements of HW/SW/
communication lines/data/application
- Facilities: use of main buildings or any remote facilities
People: operators, management, technical support persons
Supplies and equipment: paper, forms HVAC
Documenting the continuity strategy
BIA (39)
Goal: to create a document to be used to help understand what
impact a disruptive event would have on the business
Gathering assessment material
- Org charts to determine functional relationships
- Examine business success factors
Vulnerability assessment
- Identify Critical IT resources out of critical
processes, Identify disruption impacts and
Maximum, Tolerable Downtime (MTD)
- Loss Quantitative (revenue, expenses for
repair) or Qualitative (competitive edge,
public embarrassment). Presented as low,
high, medium.
- Develop recovery procedures
Analyze the compiled information
- Document the process Identify inter-
dependability
- Determine acceptable interruption periods
Documentation and Recommendation
RTO<MTD
Administrative Management Controls (47)
Separation of duties - assigns parts of tasks to different
individuals thus no single person has total control of the
system’s security mechanisms; prevent collusion
M of N Control - requires that a minimum number of agents (M)
out of the total number of agents (N) work together to perform
high-security tasks. So, implementing three of eight controls would
require three people out of the eight with the assigned work task of
key escrow recovery agent to work together to pull a single key out
of the key escrow database
Least privilege - a system’s user should have the lowest level of
rights and privileges necessary to perform their work and should
only have them for the shortest time. Three types:
Read only, Read/write and Access/change
Two-man control - two persons review and approve the work of
each other, for very sensitive operations
Dual control -two persons are needed to complete a task
Rotation of duties - limiting the amount of time a person is
assigned to perform a security related task before being moved to
different task to prevent fraud; reduce collusion
Mandatory vacations - prevent fraud and allowing investigations,
one week minimum; kill processes
Need to know - the subject is given only the amount of
information required to perform an assigned task, business
justification
Agreements – NDA, no compete, acceptable use
Employment (48)
- staff members pose more threat than
external actors, loss of money stolen
equipment, loss of time work hours, loss of
reputation declining trusts and loss of
resources, bandwidth theft, due diligence
- Voluntary & involuntary ------------------Exit interview!!!
Third Party Controls (49)
- Vendors
- Consultants
- Contractors
Properly supervised, rights based on policy
Risk Management Concepts (52)
Threat – damage
Vulnerability – weakness to threat vector (never does anything)
Likelihood – chance it will happen
Impact – overall effects
Residual Risk – amount left over
Organizations own the risk
Risk is determined as a byproduct of likelihood and impact
ITIL (55)
ITIL – best practices for IT core operational processes, not for
audit
- Service
- Change
- Release
- Configuration
Strong end to end customer focus/expertise
About services and service strategy
Risk Management (52)
GOAL - Determine impact of the threat and risk of threat occurring
The primary goal of risk management is to reduce risk to an
acceptable level.
Step 1 – Prepare for Assessment (purpose, scope, etc.)
Step 2 – Conduct Assessment
- ID threat sources and events
- ID vulnerabilities and predisposing conditions
- Determine likelihood of occurrence
- Determine magnitude of impact
- Determine risk
Step 3 – Communicate Risk/results
Step 4 – Maintain Assessment/regularly
Types of Risk
Inherent chance of making an error with no controls in place
Control chance that controls in place will prevent, detect or control
errors
Detection chance that auditors won’t find an error
Residual risk remaining after control in place
Business concerns about effects of unforeseen circumstances
Overall combination of all risks aka Audit risk Preliminary
Security Examination (PSE): Helps to gather the elements that
you will need when the actual Risk Analysis takes place.
ANALYSIS Steps: Identify assets, identify threats, and calculate
risk.
ISO 27005 – deals with risk
Risk Assessment Steps (60)
Four major steps in Risk assessment?
Prepare, Perform, Communicate, Maintain
Qualitative (57)
Approval –
Form Team –
Analyze Data –
Calculate Risk –
Countermeasure Recommendations -
REMEMBER HYBRID!

4. Quantitative Risk Analysis (58)
- Quantitative VALUES!!
- SLE (single Loss Expectancy) = Asset Value * Exposure
factor (% loss of asset)
- ALE (Annual loss expectancy) = SLE * ARO
(Annualized Rate of occurrence)
Accept, mitigate(reduce by implementing controls calculate costs-),
Assign (insure the risk to transfer it), Avoid (stop business activity)
Loss= probability * cost
Residual risk - where cost of applying extra countermeasures is
more than the estimated loss resulting from a threat or vulnerability
(C > L). Legally the remaining residual risk is not counted when
deciding whether a company is liable.
Controls gap - is the amount of risk that is reduced by
implementing safeguards. A formula for residual risk is as follows:
total risk – controls gap = residual risk
RTO – how quickly you need to have that application’s information
available after downtime has occurred
RPO -Recovery Point Objective: Point in time that application data
must be recovered to resume business functions; AMOUNT OF
DATA YOUR WILLING TO LOSE
MTD -Maximum Tolerable Downtime: Maximum delay a business
can be down and still remain viable
MTD minutes to hours: critical
MTD 24 hours: urgent
MTD 72 hours: important
MTD 7 days: normal
MTD 30 days non-essential
PLAN
Accept
Build Risk Team
Review
Once in 100 years = ARO of 0.01
SLE is the dollar value lost when an asset is successfully attacked
Exposure Factor ranges from 0 to 1
NO – ALE is the annual % of the asset lost when attacked – NOT
Determination of Impact (61)
Life, dollars, prestige, market share
Risk Response (61)
Risk Avoidance – discontinue activity because you don’t want to
accept risk
Risk Transfer – passing on the risk to another entity
Risk Mitigation – elimination or decrease in level of risk
Risk Acceptance – live with it and pay the cost
Background checks – mitigation, acceptance, avoidance
Risk Framework Countermeasures (63)
- Accountability
- Auditability
- Source trusted and known
- Cost-effectiveness
- Security
- Protection for CIA of assets
- Other issues created?
If it leaves residual data from its function
Controls (68)
Primary Controls (Types) – (control cost should be less than the
value of the asset being protected)
Administrative/Managerial Policy
- Preventive: hiring policies, screening security awareness
(also called soft-measures!)
- Detective: screening behavior, job rotation, review of
audit records
Technical (aka Logical)
- Preventive: protocols, encryption, biometrics
smartcards, routers, firewalls
- Detective: IDS and automatic generated violation
reports, audit logs, CCTV(never preventative)
- Preventive: fences, guards, locks
- Detective: motion detectors, thermal detectors video
cameras
Physical (Domain 5) – see and
touch
- Fences, door, lock, windows etc.
Prime objective - is to reduce the effects of security threats and
vulnerabilities to a tolerable level
Risk analysis - process that analyses threat scenarios and
produces a representation of the estimated Potential loss
Main Categories of Access Control (67)
- Directive: specify rules of behavior
- Deterrent: discourage people, change my mind
- Preventative: prevent incident or breach
- Compensating: sub for loss of primary controls
- Detective: signal warning, investigate
- Corrective: mitigate damage, restore control
- Recovery: restore to normal after incident
Control Accuracy Security Consistency
Preventive Data checks,
validity
checks
Labels, traffic
padding,
encryption
DBMS, data
dictionary
Detective Cyclic
Redundancy
IDS, audit
trails
Comparison
tools
Corrective Checkpoint,
backups
Emergency
response
Database
controls
Functional order in which controls should be used. Deterrence,
Denial, Detection, Delay
Penetration Testing (77)
Testing a networks defenses by using the same techniques as
external intruders
Scanning and Probing – port scanners
• Demon Dialing – war dialing for modems
• Sniffing – capture data packets
• Dumpster Diving – searching paper disposal areas
• Social Engineering – most common, get information by
asking
Penetration testing
Blue team - had knowledge of the organization, can be done
frequent and least expensive
Red team - is external and stealthy
White box - ethical hacker knows what to look for, see code as a
developer
Grey Box - partial knowledge of the system, see code, act as a
user
Black box - ethical hacker not knowing what to find
4 stages: planning, discovery, attack, reporting
vulnerabilities exploited: kernel flaws, buffer overflows,
symbolic links, file descriptor attacks
other model: footprint network (information gathering) port
scans, vulnerability mapping, exploitation, report scanning
tools are used in penetration tests
flaw hypotheses methodology = operation system penetration
testing
Egregious hole – tell them now!
Strategies - External, internal, blind, double-blind
Categories – zero, partial, full knowledge tests
Pen Test Methodology (79)
Recon/discover -
Enumeration -
vulnerability analysis -
execution/exploitation -
document findings/reporting - SPELL OUT AND DEFINE!!!!
Control Assessment 76
Look at your posture
Deming Cycle (83)
Plan – ID opportunity & plan for change
Do – implement change on small scale
Check – use data to analyze results of change
Act – if change successful, implement wider scale, if fails begin
cycle again

5. Identification of Threat (86)
Individuals must be qualified with the appropriate level of training.
- Develop job descriptions
- Contact references
- Screen/investigate background
- Develop confidentiality agreements
- Determine policy on vendor, contractor, consultant, and
temporary staff access
DUE DILIGENCE
Software Licenses (91)
Public domain - available for anyone to use
Open source - source code made available with a license in which
the copyright holder provides the rights to study, change, and
distribute the software to anyone
Freeware - proprietary software that is available for use at no
monetary cost. May be used without payment but may usually not
be modified, re-distributed or reverse-engineered without the
author's permission
Assurance (92)
Degree of confidence in satisfaction of security requirements
Assurance = other word for security
THINK OUTSIDE AUDIT
Successful Requirements Gathering 92
Don’t assume what client wants
Involve users early
Define and agree on scope
MORE
Security Awareness (96)
Technical training to react to situations, best practices for Security
and network personnel; Employees, need to understand policies
then use presentations and posters etc. to get them aware
Formal security awareness training – exact prep on how
to do things
Terms
Wire Tapping eavesdropping on communication -only legal with
prior consent or warrant
Data Diddling act of modifying information, programs, or
documents to commit fraud, tampers with INPUT data
Privacy Laws data collected must be collected fairly and
lawfully and used only for the purpose it was collected.
Water holing – create a bunch of websites with similar names
Work Function (factor): the difficulty of obtaining the clear text
from the cipher text as measured by cost/time
Fair Cryptosystems - In this escrow approach, the secret keys
used in a communication are divided into two or more pieces, each
of which is given to an independent third party. When the
government obtains legal authority to access a particular key, it
provides evidence of the court order to each of the third parties and
then reassembles the secret key.
SLA – agreement between IT service provider and customer,
document service levels, divorce; how to dissolve relationship
SLR (requirements) – requirements for a service from client
viewpoint
Service level report – insight into a service providers ability to
deliver the agreed upon service quality
Legislative drivers?
FISMA(federal agencies)
Phase 1 categorizing, selecting minimum controls, assessment
Phase 2: create national network of secures services to assess

6. Information classification (110)
Categorization – Process of determining the impact of loss of CIA
of information to an organization. Identifies the value of the data to
the organization. Not all data has same value, demonstrates
business commitment to security, Identify which information is
most sensitive and vital
Criteria - Value, age, useful life, personal association
Levels
Government, military
- Unclassified (have FOUO also)
- Sensitive but unclassified
- Confidential (some damage)
- Secret (Serious damage) (Can have Country specific
restrictions also – NZAUS SECRET for New Zealand,
Australia and US secret)
- Top Secret (Grave damage)
Private sector (113)
- Public; used by public or employees
- Company Confidential; viewed by all employees but
not for general use
- Company Restricted – restricted to a subset of
employees
- Private; Ex. SSN, credit card info., could cause
damage
- Confidential; cause exceptionally grave damage,
Proprietary; trade secrets
- Sensitive; internal business
TS = Confidential/Prop, Secret = Private, Confidential = sensitive
Security policies, standards & guidelines (119)
Policies first and highest level of documentation
Very first is called Senior management Statement of Policy,
Stating importance, support and commitment
Types
- Regulatory (required due to laws, regulations,
compliance and specific industry standards!)
- Advisory (not mandatory but strongly suggested
- Informative to inform the reader
Information policy - classifications and defines level of access
and method to store and transmit information
Security policies - authenticates and defines technology used to
control information access and distribution
SYSTEM security policy - lists hardware / software to be used
and steps to undertake to protect infrastructure
Standards - Specify use of specific technologies in a uniform way
Guidelines - same as standards but not forced to follow
Procedures - detailed steps to perform a task
Baseline - minimum level of security
Security planning - involves security scope, providing security
management responsibilities and testing security measures for
effectiveness. Strategic 5 years Tactical shorter than strategic
Operational day to day, short term
Data Classification Policy (111)
- Who will have access to data?
- How is the data to be secured?
- How long is data to be retained?
- What method(s) should be used to dispose of data?
- Does data need to be encrypted?
- What is the appropriate use of the data?
Proper Assess Man REQUIRES (113)
1. Inventory Management – all things
2. Configuration Management - +patching
IT Asset Management (ITAM) (114)
Full life cycle management of IT assets
- CMBD; holds relationships between system components
– incidents, problems, known error, changes, and
releases
- Single repository
- Organizationally aligned -scalable
US-EU (Swiss) Safe Harbor (124)
The EU Data Protection Directive To be replaced, in 2018, by the
General Data Protection Regulation (GDPR)
Bridge differences in approach and provide a streamlined means
for U.S. organizations to comply with European Commissions.
STRENGTHING INDIVIDUALS RIGHTS
- Data obtained fairly and lawfully
- Data only used for original purpose
- Adequate, relevant, and not excessive to purpose
- Accurate and up to date
- Accessible to the subject
- Kept secure
- Destroyed after purpose is complete
Directive on Data Protection; Seven Tenets
- Notice; data subjects should be given notice when their
data is being collected
- Choice; data should not be disclosed without the data
subject’s consent
- Onward Transfer; data subjects should be informed as
to who is collecting their data
- Security; collected data should be kept secure from any
potential abuses
- Data Integrity; reliable, only stated purpose
- Access; data subjects should be allowed to access their
data and make corrections to any inaccurate data
- Enforcement; accountability, data subjects should have
a method available to them to hold data collectors
accountable for not following the above principles
NOT REASON or RETENTION TIME
US Org is Data Processors when they classify and handle data,
EU company would be Business/Mission owners, US org. would
also be Data Administrators
Data processors have responsibility to protect privacy of data
Dpt. of Commerce holds list of participants
Can transfer to non-Safe Harbor entities with permission
FTC – overseas compliance framework for organizations wishing
to use personal data of EU citizens
Self-certify but Dpt. Of Transportation or FTC can enforce
Gramm/Leach/Bailey Act delaying application to financial markets
Roles and responsibilities
Senior Manager ultimate responsibility
Information security Officer functional responsibility
- Ensure policies etc. are written by app. Unit
- Implement/operate CIRTs
- Provide leadership for security awareness
- Communicate risk to senior management
- Stay abreast of current threats and technology
Security Analyst Strategic, develops policies and guidelines
Data Ownership (128)
Data Life - Creation, use, destruction(subservient to security
policy)
Data/Information Owner
- Ultimate organizational responsibility for data
- Categorize systems and data, determine level of
classification
- Required controls are selected for each classification
- Select baseline security standards
- Determine impact information has on organization
- Understand replacement cost (if replaceable)
- Determine who needs the information and
circumstances for release
- Determine when information should be destroyed
- Responsible for asset
- Review and change classification
- Can delegate responsibility to data custodian
- Authorize user privileges
Data Custodian Responsibilities (129)
- Day-to-day tasks, grants permission to users in DAC
- Adhere to data policy and data ownership guidelines
- Ensure accessibility, maintain and monitor security
- Dataset maintenance, , archiving
- Documentation, including updating
- QA, validation and audits
- Run regular backups/restores and validity of them
- Insuring data integrity and security (CIA)
- Maintaining records in accordance to classification
- Applies user authorization
- Implement security controls
System Owners - Select security controls
Administrators
- Assign permission to access and handle data
End-user
- Uses information as their job
- Follow instructions in policies and guidelines
- Due care (prevent open view by e.g. Clean desk)
- Use corporation resources for corporation use
Auditor examines security controls
QC & QA (131)
QC – assessment of quality based on internal standards
QA – assessment of quality based on standards external to the
process and involves reviewing of the activities and quality control
processes.

7. Benefits of Data Standards (134)
Increased data sharing
Considerations (134)
Borders
Encryption
Data Modeling (135)
Smallest bits of information the Db will hold – granularity
When do we replace – then think about next one
CRITICAL = AVAILABILITY
Data Remanence (140)
Residual physical representation of data that has been in some
way erased. PaaS deals with it best in Cloud
Remanence - Residual data left on media after erase attempts
Remove unwanted remnant data from magnetic tapes
- Physical destruction
- Degaussing
- Overwriting
- NOT Reformatting
Sanitizing – Series of processes that removes data, ensures data
is unrecoverable by any means. Removing a computer from
service and disposed of. All storage media removed or destroyed.
Degaussing – AC erasure; alternating magnetic fields , DC
erasure; unidirectional magnetic field or permanent magnet, can
erase tapes
Erasing – deletion of files or media, removes link to file, least
effective
Overwriting/wiping/shredding – overwrites with pattern, may
miss
Zero fill – wipe a drive and fill with zeros
Clearing – Prepping media for reuse at same level. Removal of
sensitive data from storage devices in such a way that the data
may not be reconstructed using normal system functions or
utilities. May be recoverable with special lab equipment. Data just
overwritten.
Purging– More intense than clearing. Media can be reused in
lower systems. Removal of sensitive data with the intent that the
data cannot be reconstructed by any known technique.
Destruction – Incineration, crushing, shredding, and disintegration
are stages of this
Encrypt data is a good way to secure files sent through the
internet
SSD Data Destruction (142)
- NIST says to “disintegrate”
- SSD drives cannot be degaussed, space sectors, bad
sectors, and wear space/leveling may hide
nonaddressable data, encrypt is the solution
- Erase encryption key to be unreadable
- Crypto erase, sanitization, targeted overwrite (best)
Buy high quality media – value of data exceeds cost of media
Sanitation is business normal, not destruction for costs reasons
Reuse - Downgrading equipment for reuse will probably be more
expensive than buying new
Metadata – helps to label data and prevent loss before it leaves
the organization,
Data mart - metadata is stored in a more secure container
Baselines (154)
Select based on the data classification of the data stored/handled
- Which parts of enterprise can be protected by the same
baseline?
- Should baseline be applied throughout whole
enterprise?
- At what security level should baseline aim?
How will the controls be determined?
Baseline – Starting point that can be tailored to an organization
for a minimum security standard. Common security configurations,
Use Group Policies to check and enforce compliance
Scoping and Tailoring (157)
Narrows the focus and of the architecture to ensure that
appropriate risks are identified and addressed.
Scoping – reviewing baseline security controls and selecting only
those controls that apply to the IT system you’re trying to protect.
Tailoring – modifying the list of security controls within a baseline
so that they align with the mission of the organization.
Supplementation – adding assessment procedures or
assessment details to adequately meet the risk management
needs of the organization.
Link vs. End to End Encryption (174)
Link - is usually point to point EVERYTHING ENCRYPTED
“Black pipe, black oil, black ping pong balls” all data is encrypted,
normally did by service providers
End to End – You can see ALL BUT PAYLOAD, normally done by
users
YOU CAN LAYER THESE ENCRYPTION TYPES
Email is not secured unless encrypted
NETSCAPE INVENTED SSL, SSLv3 still used
USE TLSv1.2 now for test
PGP = GnuPG (GNP)– not rely on open
S/MIME – secure email
Nice to Know
Classifying Costs – cost are not a factor in classifying data but
are in controls
FTP and Telnet are unencrypted! SFTP and SSH provide
encryption to protect data and credentials that are used to log in
Record Retention Policies – how long data retained and
maintained
Removable Media – use strong encryption, like AES256, to
ensure loss of media does not result in data breach
Personnel Retention – Deals with the knowledge that employees
gain while employed.
Record Retention – retaining and maintaining information for as
long as it’s needed
Label Data – to make sure data is identifiable by its classification
level. Some label all media that contains data to prevent reuse of
Public media for sensitive data.
Data in RAM is Data in use.
CIS – Center for Internet Security; creates list of security controls
for OS, mobile, server, and network devices
Standards Selection (158 - 185)
NIST – National Institute of Standards and Technology
NIST SP 800 series - address computer security in a variety of
areas
800-14 NIST SP – GAPP for securing information technology
systems
800-18 NIST – How to develop security plans
800-27 NIST SP - Baseline for achieving security, five lifecycle
planning phases (defined in 800-14), 33 IT security principles
- Initiation
- Development/Acquisition
- Implementation
- Operation/Maintenance
- Disposal
800-88 - NIST guidelines for sanitation and disposition, prevents
data remanence
800-122 - NIST Special Publication – defines PII as any
information that can be used to trace a person identity such as
SSN, name, DOB, place of birth, mother’s maiden name
800-137 - build/implement info security continuous monitoring
program: define, establish, implement, analyze and report,
800-145 - cloud computing
FIPS – Federal Information Processing Standards; official series of
publications relating to standards and guidelines adopted under the
FISMA, Federal Information Security Management Act of 2002.
FIPS 199 – Standards for categorizing information and information
systems.
FIPS 200 – minimum security requirements for Federal information
and information systems
DOD 8510.01 – establishes DIACAP
ISO 15288 – International systems engineering standard covering
processes and life cycle stages
- Agreement
- Organization Project-enabling
- Technical Management
- Technical
Nice to Know
COPPA – California Online Privacy Protection Act, operators of
commercial websites post a privacy policy if collecting personal
information on CA residents
Curie Temperature – Critical point where a material’s intrinsic
magnetic alignment changes direction.
Dar – Data at rest; inactive data that is physically stored, not RAM,
biggest threat is a data breach, full disk encryption protects it
(Microsoft Bitlocker and Microsoft EFS, which use AES, are apps)
DLP – Data Loss/Leakage Prevention, use labels to determine the
appropriate control to apply to data. Won’t modify labels in real-
time.
ECM – Enterprise Content Management; centrally managed and
controlled
Non-disclosure Agreement – legal agreement that prevents
employees from sharing proprietary information
PCI-DSS – Payment and Card Industry – Security Standards
Council; credit cards, provides a set of security controls /standards
Watermark – embedded data to help ID owner of a file, digitally
label data and can be used to indicate ownership.

8. Systems Engineering & Modeling (194)
Common Criteria ISO 15408 - Structured methodology for
documenting security requirements, documenting and
validating ****
A SECURITY PRODUCT MAY BE CERTIFIED
Defines a protection profile that specifies the security
requirements and protections of a product that is to be evaluated.
Organized around TCB entities. Evaluation Assurance Levels
(EAL)
- EAL0 –Inadequate assurance
- EAL1 –Functionally tested
- EAL2 –Structurally tested
- EAL3 –Methodically tested and checked
- EAL4 –Methodically designed, tested and reviewed
- EAL5 –Semi formally designed and tested
- EAL6 –Semi formally verified design and tested
- EAL7 –Formally verified design and tested
Target of Evaluation (TOE): the product
Protection Profile (PP): set of security requirements for a category
of products that meet specific consumer security needs
Security Target (ST): identifies the security properties of TOE
Security Functional Requirements (SFRs): Specific individual
security functions
Engineering Principles for IT Security (194)
NIST SP 800-27
 Initiation; need expressed, purpose documented, impact
assessment
 Development/Acquisition; system designed, purchased,
programmed, developed or constructed.
 Implementation; system tested and installed, certification
and accreditation
 Operation/Maintenance; performs function, security
operations, audits
Disposal; disposition of information, HW and SW
Physical controls are your first line of defense, and people are
your last.
ISO/IEC 21827:2008 SSE-CMM (Maturity Model)
(196)
BIGGEST JUMP IN MATURITY MODEL? 2 – 3. FROM
REACTIVE TO PROACTIVE
OS Kernel ()
Loads & runs binary programs, schedules task swapping,
allocates memory & tracks physical location of files on computers
hard disk, manages IO/OP requests from software, & translates
them into instructions for CPU
Common System Components (198)
Primary Storage – is a temporary storage area for data entering
and leaving the CPU
Random Access Memory (RAM) – is a temporary holding place
for data used by the operating systems. It is volatile; meaning if it
is turned off the data will be lost. Two types of RAM are dynamic
and static. Dynamic RAM needs to be refreshed from time to time
or the data will be lost. Static RAM does not need to be refreshed.
Read-Only Memory (ROM) – is non-volatile, which means when a
computer is turned off the data is not lost; for the most part ROM
cannot be altered. ROM is sometimes referred to as firmware.
Erasable and Programmable Read-Only Memory (EPROM) is non-
volatile like ROM, however EPROM can be altered.
Process states:
- Stopped; process finishes or must be terminated
- Waiting; the process is ready for continued execution but
is waiting for a device or access request
- Running; executes on the CPU and keeps going until it
finishes, its time slice expires, or it is blocked
- Ready; process prepared to execute when CPU ready
Multitasking – execute more than one task at the same
time
Multiprocessing – more than one CPU is involved.
Multi-Threading: execute different parts of a program
simultaneously
Single state machine – operates in the security environment at
the
highest level of classification of the information within the
computer. In other words, all users on that system must have
clearance to access the info on that system.
Multi-state machine – can offer several security levels without risk
of compromising the system’s integrity.
CICS – complex instructions. Many operations per instruction. Less
number of fetches
RISC – reduced instructions. Simpler operations per instruction.
More fetches.
Software
1 GL: machine language (used directly by a computer)
2GL: assembler
3GL: FORTRAN. Basic pl/1 and C++
4GL: Natural / focus and SQL
5GL: Prolog, lisp artificial intelligence languages based on logic
Memory Protection (200)
Segmentation – dividing a computer’s memory into segments.
Protection Keying – Numerical values, Divides physical memory
up into particular sized blocks, each of which has an associated
numerical value called a protection key.
Paging – divides memory address space into even size blocks
called pages. To emulate that we have more RAM than we have.
SYSTEM KERNAL KNOWS THE LOCATION OF THE PAGE FILE
DEP, Data Execution Prevention – a system-level
memory protection feature that is built into the OS
DEP prevents code from being run from data pages
such as the default heap, stacks, and memory pools.
ITIL (208)
The ITIL Core includes five publications addressing the overall life
cycle of systems. ITIL as a whole identifies best practices that an
organization can adopt to increase overall availability, and the
Service Transition publication addresses configuration
management and change management processes.
- Service Strategy
- Service Design
- Service Transition
- Service Operations
- Continuous Service Improvement
Types of Security Models (210)
Defining allowed interactions between subjects (active parties) and
objects (passive parties) at a particular moment in time.
State Machine Model – describes a system that is always secure
no matter what state it is in. If all aspects of a state meet the
requirements of the security policy, that state is considered
secure. A transition occurs when accepting input or producing
output. A transition always results in a new state (also called a
state transition). A secure state machine model system always
boots into a secure state, maintains a secure state across all
transitions, and allows subjects to access resources only in a
secure manner compliant with the security policy.
Information Flow Model – focuses on the flow of information.
Information flow models are based on a state machine model. The
Bell-LaPadula and Biba models are both information flow models.
Information flow models don’t necessarily deal with only the
direction of information flow; they can also address the type of
flow. Information flow models are designed to prevent
unauthorized, insecure, or restricted information flow, often
between different levels of security (these are often referred to as
multilevel models). The information flow model also addresses
covert channels by specifically excluding all non-defined flow
pathways.
Noninterference Model – is loosely based on the information flow
model. However, instead of being concerned about the flow of
information, the noninterference model is concerned with how the
actions of a subject at a higher security level affect the system
state or the actions of a subject at a lower security level. Basically,
the actions of subject A (high) should not affect the actions of
subject B (low) or even be noticed by subject B. The
noninterference model can be imposed to provide a form of
protection against damage caused by malicious programs such as
Trojan horses. Southerland Model
Techniques for Ensuring CIA
Confinement – to restrict the actions of a program. Simply put,
process confinement allows a process to read from and write to
only certain memory locations and resources. This is also known
as sandboxing.
Bounds – a process consist of limits set on the memory addresses
and resources it can access. The bounds state the area within
which a process is confined or contained.
Isolation – When a process is confined through enforcing access
bounds that process runs in isolation. Process isolation ensures
that any behavior will affect only the memory and resources
associated with the isolated process.

9. Models (211)
MATRIX
- Provides access rights to subjects for objects
- Access rights are read, write and execute
- Columns are ACL’s
- Rows are capability lists
- Supports discretionary access control
BELL-LAPADULA = MAC SUBJECTS/OBJECTS/CLEARANCES/
- Confidentiality model
- developed by DOD, thus classification
- Cannot read up (simple e=read security rule)
- Cannot write down (* property rule AKA CONFINEMENT
PROPERTY). Exception is a trusted subject.
- Uses access matrix to specify discretionary access control
- Use need to know principle
- Strong star rule: read and write capabilities at the same
level
- First mathematical model defined
- tranquility principle in Bell-LaPadula prevents security
level of subjects from being changed once they are created
- Bell-LaPadula is concerned with preventing information flow
from a high security level to a low security level.
BIBA – MAC “if I in it INTEGRITY MODEL”
- Integrity model
- Cannot read down (simple e=read integrity rule)
- Simple integrity property
- cannot write up (* integrity)
- lattice based (least upper bound, greatest lower bound, flow
policy)
- subject at one level of integrity cant invoke subject at a
higher level of integrity
- Biba is concerned with preventing information flow from a
low security level to a high security level.
- Focus on protecting objects from external threat
CLARK WILSON
- integrity model
- Cannot be tampered, logged, and consistency
- Enforces segregation of duty
- Requires auditing
- Commercial use
- Works with SCI Constrained Data items, data item whose
integrity is to be preserved
- Access to objects only through programs
- An integrity verification procedure (IVP) is a procedure that
scans data items and confirms their integrity.
Information flow model
- Each object is assigned a security class and value, and
information is constrained to flow in the directions that are
permitted by the security policy. Thus flow of information
from one security level to another. (Bell & Biba)
Brewer and Nash
- The Chinese Wall model provides a dynamic access
control depending on user’s previous actions. This model
prevents conflict of interests from members of the same
organization to look at information that creates a conflict of
another member of that organization.
Lipner Model – Confidentiality and Integrity, BLP + Biba
1st
Commercial Model
Models (211) (cont)
Graham-Denning
- focused on relationship between subjects and objects
TAKE-GRANT
- uses a direct graph to specify the rights that subjects can
transfer to objects or that subjects can take from other
subjects
- Uses STATES and STATE TRANSTIONS
Composition Theories
Some other models that fall into the information flow category build on
the notion of how inputs and outputs between multiple systems relate
to one another— which follows how information flows between
systems rather than within an individual system. These are called
composition theories because they explain how outputs from one
system relate to inputs to another system.
There are three recognized types of composition theories:
- Cascading: Input for one system comes from the output of
another system.
- Feedback: One system provides input to another system,
which reciprocates by reversing those roles (so that system
A first provides input for system B and then system B
provides input to system A).
- Hookup: One system sends input to another system but
also sends input to external entities.
MAC – Subjects are labelled as to their level of clearance. Objects are
labelled as to their level of classification or sensitivity.
Subjects – Users(perform work task), Data Owners(protect data), and
Data Custodians (classify and protect data)
ITSEC (216)
- refers to any system being evaluated as a target of
evaluation (TOE).
- does not rely on the notion of a TCB, and it doesn’t require
that a system’s security components be isolated within a
TCB.
- includes coverage for maintaining targets of evaluation after
changes occur without requiring a new formal evaluation.
Certification and Accreditation (216)
Certification – is evaluation of security features and safeguards if
it meets requirements. Certification is the comprehensive
evaluation of the technical and nontechnical security features of an
IT system and other safeguards made in support of the
accreditation process to establish the extent to which a particular
design and implementation meets a set of specified security
requirements.
Accreditation – the formal declaration by the designated
approving authority (DAA) that an IT system is approved to operate
in a particular security mode using a prescribed set of safeguards
at an acceptable level of risk. Once accreditation is performed,
management can formally accept the adequacy of the overall
security performance of an evaluated system.
System accreditation – a major application or general support
system is evaluated.
Site accreditation – the applications and systems at a specific,
self-contained location are evaluated.
Type accreditation – an application or system that is distributed to
a number of different locations is evaluated.
Product Evaluation Models (216)
Trusted Computer System Evaluation Criteria
TCSEC: (Orange book) From the U.S. DoD, it evaluates operating
systems, application and systems. It doesn’t touch the network
part. It only addresses confidentiality!
ITSEC TCSEC Explanation
1 D minimal protection, any systems that fails
higher levels
2 C1 DAC; (identification, authentication,
resource protection).
3 C2 DAC; Controlled access protection (object
reuse, protect audit trail).
4 B1 MAC; (security labels) based on Bell
LaPadula security model. Labeled security
(process isolation, devices
5 B2 MAC; Structured protection (trusted path,
covert channel analysis). Separate
operator/admin roles. Configuration
management
6 B3 MAC; security domain (trusted recovery,
Monitor event and notification).
7 A MAC; Formal, verified protection
Operational assurance requirements for TCSEC are:
- System Architecture
- System Integrity
- Covert Channel analysis
- Trusted Facility Management
- Trusted recovery
Rainbow series:
Red = trusted network, Orange = TCSEC evaluation
Brown = trusted facilities management
dcsmmmTan = audit, Aqua = glossary.
Green = password management
Information Technology Security Evaluation Criteria
ITSEC: it is used in Europe only, not USA. Addresses CIA. Unlike
TCSEC it evaluates functionality and assurance separately.
Assurance from E0 to E6 (highest) and F1 to F10 (highest).
Therefore a system can provide low assurance and high
functionality or vice-versa.

10. Security Standards (222) Memory Components Cloud Service Models (241)
Original service models – SaaS, PaaS; original deployment
model- community & hybrid
PaaS – Platform-as-a-Service is the concept of providing a
computing platform and software solution stack as a virtual or cloud-
based service. Essentially, this type of cloud solution provides all the
aspects of a platform (that is, the operating system and complete
solution package). The primary attraction of PaaS is the avoidance of
having to purchase and maintain high-end hardware and software
locally. Customer supplies application code that the vendor then
executes on its own infrastructure
SaaS – Software-as-a-Service, is a derivative of PaaS. SaaS
provides on-demand online access to specific software applications
or suites without the need for local installation. In many cases, there
are few local hardware and OS limitations.
IaaS – Infrastructure-as-a-Service, takes the PaaS model yet another
step forward and provides not just on-demand operating solutions
but complete outsourcing options. This can include utility or metered
computing services, administrative task automation, dynamic scaling,
virtualization services, policy implementation and management
services, and managed/ filtered Internet connectivity.
Deployment Models, parent organization still responsible for patching
OS of virtual hosts,
CaaS – not a TERM!
- Private; cloud-based assets for a single organization.
Organizations can create and host private clouds using
their own resources.
- Community; provides cloud-based assets to two or more
organizations. Maintenance responsibilities are shared
based on who is hosting the assets and the service
models.
- Public; model includes assets available for any consumers
to rent or lease and is hosted by an external CSP. Service
level agreements can be effective at ensuring the CSP
provides the cloud-based services at a level acceptable to
the organization.
Hybrid – mix of public and private
Database Security (237)
Aggregation – SQL provides a number of functions that combine
records from one or more tables to produce potentially useful
information. Aggregation is not without its security vulnerabilities.
Aggregation attacks are used to collect numerous low-level security
items and combine them to create something of a higher security
level or value.
Inference – involve combining several pieces of non-sensitive
information to gain access to information that should be classified at
a higher level. However, inference makes use of the human mind’s
deductive capacity rather than the raw mathematical ability of
modern database platforms.
Data Warehousing – large databases, store large amounts of
information from a variety of databases for use with specialized
analysis techniques.
Data Mining – technique allow analysts to comb through data
warehouses and look for potential correlated information.
Data dictionary – commonly used for storing critical information
about data, including usage, type, sources, DBMS software reads
the data
ISO 27001 – focused on the standardization and certification of an
organization’s information security management system (ISMS),
security governance, a standard; ISMS. Info security minimum
systems
ISO 27002 – (inspired from ISO 17799) – a guideline which lists
security control objectives and recommends a range of specific
security controls; more granular than 27001. 14 areas
BOTH INSPIRED FROM BS7799
Control Frameworks (223)
Consider the overall control framework or structure of the security
solution desired by the organization.
COBIT – Control Objectives for Information and Related
Technology, is a documented set of best IT security practices
crafted by the Information Systems Audit and Control Association
(ISACA). It prescribes goals and requirements for security controls
and encourages the mapping of IT security ideals to business
objectives.
COBIT 5 – is based on five key principles for governance and
management of enterprise IT:
 Principle 1: Meeting Stakeholder Needs
 Principle 2: Covering the Enterprise End-to-End
 Principle 3: Applying a Single, Integrated Framework
 Principle 4: Enabling a Holistic Approach
 Principle 5: Separating Governance from Management.
COBIT is used not only to plan the IT security of an
organization but also as a guideline for auditors.
Virtualization (229)
Used to host one or more operating systems within the memory of
a single host computer. Such an OS is also known as a guest
operating system. From the perspective that there is an original or
host OS installed directly on the computer hardware, the additional
Oses hosted by the hypervisor system are guests.
- Virtual machine – simulated environment created by
the OS to provide a safe and efficient place for
programs to execute.
- Virtual SAN – software-defined shared storage system
is a virtual re-creation of a SAN on top of a virtualized
network or an SDN.
Timing (233)
TOCTTOU attack - race condition exploits, and communication
disconnects are known as state attacks because they attack
timing, data flow control, and transition between one system state
to another.
RACE - two or more processes require access to the same
resource and must complete their tasks in the proper order for
normal functions
Register – CPU also includes a limited amount of onboard
memory, known as registers, that provide it with directly
accessible memory locations that the brain of the CPU, the
arithmetic-logical unit (ALU), uses when performing calculations
or processing instructions, small memory locations directly in the
CPU.
Stack Memory Segment – used by processors to communicate
instructions and data to each other
Monolithic Operating System Architecture – all of the code
working in kernel mode/system mode in an ad hoc and non-
modularized OS
Memory Addressing – When using memory resources, the
processor must have some means of referring to various
locations in memory. The solution to this problem is known as
addressing,
- Register Addressing – When the CPU needs
information from one of its registers to complete an
operation, it uses a register address (for example,
“register 1”) to access its contents.
- Immediate Addressing – is not a memory addressing
scheme per se but rather a way of referring to data that
is supplied to the CPU as part of an instruction. For
example, the CPU might process the command “Add 2
to the value in register 1.” This command uses two
addressing schemes. The first is immediate
addressing— the CPU is being told to add the value 2
and does not need to retrieve that value from a memory
location— it’s supplied as part of the command. The
second is register addressing; it’s instructed to retrieve
the value from register 1.
- Direct Addressing – In direct addressing, the CPU is
provided with an actual address of the memory location
to access. The address must be located on the same
memory page as the instruction being executed. Direct
addressing is more flexible than immediate addressing
since the contents of the memory location can be
changed more readily than reprogramming the
immediate addressing’s hard-coded data. Indirect
Addressing
- Indirect addressing – uses a scheme similar to direct
addressing. However, the memory address supplied to
the CPU as part of the instruction doesn’t contain the
actual value that the CPU is to use as an operand.
Instead, the memory address contains another memory
address (perhaps located on a different page). The
CPU reads the indirect address to learn the address
where the desired data resides and then retrieves the
actual operand from that address.
- Base + Offset Addressing – uses a value stored in
one of the CPU’s registers as the base location from
which to begin counting. The CPU then adds the offset
supplied with the instruction to that base address and
retrieves the operand from that computed memory
location.

11. Key Encryption Concepts and Definitions (243)
Purpose: protect transmitted information from being read and
understood except by the intended recipient
Substitution – like shifting and rotating alphabets, can be broken
by statistical looking at repeating characters or repeats
Vernam – cipher (one time pad): - key of a random set of non-
repeating characters
Information Theory – Claude Elmwood Shannon
Transposition – Permutation is used, meaning that letters are
scrambled. The key determines positions that the characters are
moved to, for example vertical instead of horizontal
Null Cipher – used in cases where the use of encryption is not
necessary but yet the fact that no encryption is needed must be
configured in order for the system to work. Ex. Testing,
stenography
Key Length – use with each algorithm based on the sensitivity of
information transmitted, longer key the better!
Key space – is the range of values that are valid for use as a key
for a specific algorithm. A key space is defined by its bit size. Bit
size is nothing more than the number of binary bits (0s and 1s) in
the key. The key space is the range between the key that has all 0s
and the key that has all 1s. Key space doubles each time you add
a bit to key length, which makes cryptanalysis more difficult.
Key Clustering – when different encryption keys generate the
same ciphertext from the same plaintext message BAD
Synchronous – each encryption or decryption request is
performed immediately
Asynchronous – encrypt/decrypt request are processed in
queues.
Hash Function – one-way mathematical operation that reduces a
message or data file into a smaller fixed length output. Encrypted
using private key of sender.
Registration Authority – performs certificate registration services
on behalf of a CA. RA verifies user credentials
Certificate Authority – PKI, entity trusted by one or more users as
an authority in a network that issues, revokes, and manages
digital certificates.
Key Space – represents the total number of possible values of
keys in a cryptographic algorithm for the encryption of a plaintext
block sequence to increase security by introducing additional
cryptographic variance. HOW HARD TO BRUTE FORCE
Transposition/permutation – process of reordering plaintext to
hide the message rambo = ombar
SP-network – process described by Claude Shannon used in most
block ciphers to increase their strength
Confusion – mixing the key values during repeated rounds of
encryption, make the relationship between ciphertext and key as
complex as possible
Diffusion – mix location of plaintext throughout ciphertext, change
of a single bit should drastically change hash, dissipate pattern
Meet in the Middle – Attackers might use a meet-in-the-middle
attack to defeat encryption algorithms that use two rounds of
encryption. This attack is the reason that Double DES (2DES) was
quickly discarded as a viable enhancement to the DES encryption
(it was replaced by Triple DES (3DES, TDES, EEE, EDE).
Key Encryption Concepts and Definitions (cont.)
Block Cipher – segregating plaintext into blocks and applying
identical encryption algorithm and key
Cipher – cryptographically transformation that operates on
characters or bits. DES, word scramble, shift letters
Cipher text or Cryptogram – unintelligible message, encrypt text
Clustering – situation wherein plain text messages generates
identical cipher text messages using the same algorithm but with
different crypto-variables or keys
Codes – cryptographic transformation that operates at the level of
words or phrases, one by land, two by sea
Cryptanalysis – breaking the cipher text,
Cryptographic Algorithm – Step by step procedure to encipher
plaintext and decipher cipher text
Cryptography – the art and science of hiding the meaning of
communications from unintended recipients. (Greek:
kryptos=hidden, graphein=to write)
Cryptology: cryptography + cryptanalysis
Cryptosystem – set of transformations from a message space to
cipher space
Decipher – To make the message readable, undo encipherment
process
Encipher – make message unintelligible
End-to-end encryption – Encrypted information that is sent from
point of origin to destination. In symmetric encryption this means
both having the same identical key for the session
Exclusive OR – Boolean operation that performs binary addition
Key or Crypto variable – Information or sequence that controls
the enciphering and deciphering of messages
Link encryption – stacked encryption using different keys to
encrypt each time
One Time Pad – encipher each character with its own unique key
that is used only once, unbreakable supposedly
PGP (GPG) – encrypt attached files
Plaintext – message in clear text readable form
Steganography – secret communications where the existence of
a message is hidden (inside images for example)
Dumpster Diving – of going through someone’s trash to find
useful or confidential info –it is legal but unethical in nature
Phishing – act of sending spoofed messages that pretend to
originate from a source the user trusts (like a bank)
Social Engineering – act of tricking someone into
giving sensitive or confidential info that may be used
against the company
Script kiddie – someone with moderate hacking
skills, gets code from the Internet.
Red boxing – pay phones cracking
Black Boxing – manipulates toll-free line voltage to phone for free
Blue Boxing – tone simulation that mimics telephone co. system
and allows long distance call authorization
White box – dual tone, multifrequency generator to control phone
system
Phreakers – hackers who commit crimes against phone
companies
Salami – removal of a small amount of money otherwise known as
skimming
Key Encryption Concepts and Definitions (cont.)
Zero-knowledge proof – is a communication concept. A specific
type of information is exchanged but no real data is transferred, as
with digital signatures and digital certificates. Understand split
knowledge. “magic door”
Split knowledge – means that the information or privilege required
to perform an operation is divided among multiple users. This
ensures that no single person has sufficient privileges to
compromise the security of the environment. M of N Control
(multiparty key recovery) is an example of split knowledge.
Skipjack – Like many block ciphers, Skipjack operates on 64-bit
blocks of text. It uses an 80-bit key and supports the same four
modes of operation supported by DES. Skipjack was quickly
embraced by the US government and provides the cryptographic
routines supporting the Clipper and Capstone encryption chips.
However, Skipjack has an added twist— it supports the escrow of
encryption keys.
Goals of Cryptography
Confidentiality
Integrity
Proof of origin
Non-repudiation
Protect data at rest
Protect data in transit
Cryptographic Concepts
Key Clustering – when different encryption keys generate the
same ciphertext from the same plaintext message
Work Factor – time and effort required to break a protective
measure
Kirchhoff’s Principle – all but key, secure
Synchronous and self-synchronous
Random Number Generators (RNGs)
Vigenere Cipher – uses key words and numerous rows
(traditionally 26), each one of which is offset by one.
Security Monitoring
- Reference Monitor and security kernel are used to
determine whether a user should be allowed to access
an object
- “complete mediation” means that all subjects must be
authenticated and their access rights verified before they
can access any object

12. Methods of Cryptography (247)
Stream-based Ciphers – operate on one character or bit of a
message (or data stream) at a time. The Caesar cipher is an
example of a stream and shift cipher. The one-time pad is also a
stream cipher because the algorithm operates on each letter of the
plaintext message independently. SUBSTITUTION, real-time
Advantage – bit by bit substitution with XOR & keystream
Emulates one time pad
No size difference between plaintext and ciphertext
Disadvantage
Can be difficult to implement correctly
Generally weaker than block mode cipher
Difficult to generate a truly random unbiased keystream
Wireless
Stream Cipher Uses
WEP, WPA – use WEP if you have nothing else
RC4
Audio Visual
Block-based Ciphers – ciphers operate on “chunks,” or blocks, of
a message and apply the encryption algorithm to an entire message
block at the same time. The transposition ciphers are examples of
block ciphers. SUBSTITUTION & TRANSPOSITION
No longer common/effective attack on wireless networks
Cipher Modes (249)
- CBC Cipher Block Chaining - blocks of 64 bits with
- 64bits initialization vector. Errors will propagate ECB
Electronic Code Book - right block/left block pairing 1-1.
Replication occurs. Secure short messages,
- Cipher Feedback CFB - stream cipher where the cipher text
is used as feedback into key generation. errors will propagate
- Output Feedback OFB - stream cipher that generates the key
but XOR-ing the plaintext with a key stream. No errors will
propagate
- Counter (CTR) – secure long messages
See 111000111000 it’s XOR
Symmetric Cryptography (254)
- Both the receiver and the sender share a common secret
key.
- Larger key size is safer > 128
- Can be time-stamped (to counter replay attacks)
- Does not provide mechanisms for authentication and
non-repudiation
DES (data Encryption Standard) comes from IBM
- DEA Data Encryption Algorithm x3.92, using 64 block
size and 56bit key with 8bits parity
- 16-rounds of substitution and transposition
cryptosystem
- Adds confusion(conceals statistical connect between
cipher text and plaintext) and Diffusion (spread the
influence of plaintext characters over many cipher text
characters by means of transposition like HIDE
IHED) - Triple des = three times encrypted DES,
preferably with 3 different keys = DES-EE3. Actual key
length = 168 bits. Uses 48 rounds of computations
(3x16)
- Replaced by AES Advanced Encryption Standard
Symmetric Cryptography (254) (cont)
AES Advanced Encryption Standard –
- one of the most popular symmetric encryption algorithms
- NIST selected it as a standard replacement for the older
Data Encryption Standard (DES) in 2001.
- BitLocker (a full disk encryption application used with a
Trusted Platform Module) uses AES
- Microsoft Encrypting File System (EFS) uses AES for file
and folder encryption
- AES supports key sizes of 128 bits, 192 bits, and 256
bits, and the US government has approved its use to
protect classified data up to top secret
- Larger key sizes add additional security, making it more
difficult for unauthorized personnel to decrypt the data.
- Keys are 128, 192, and 256 bits, blocks 128 bits.
Rijndael Block Cipher Algorithm - for speed, simplicity and
resistance against known attacks. Variable block length
and variable key lengths (128,192 and 256 bits)
Not selected for AES were:
- RC5 - variable algorithm up 0 to 2048 bits key size
- Rivest Cipher 5, or RC5, is a symmetric algorithm patented by
Rivest, Shamir, and Adleman (RSA) Data Security, the people
who developed the RSA asymmetric algorithm. RC5 is a block
cipher of variable block sizes (32, 64, or 128 bits) that uses
key sizes between 0 (zero) length and 2,040 bits.
- IDEA - International Data Encryption Algorithm
64 bit plaintext and 128 key length with confusion and
diffusion used in PGP software patented requires licenses
fees/free noncom.
- Two fish - key lengths 256 bits blocks of 128 in 16rounds
BEAT OUT BY Rijndal for AES, based on Blowfish
- Blowfish - by Bruce Schneider key lengths 32 to 448 bits,
used on Linux systems that use bcrypt (DES alternative)
Asymmetric Cryptography (262)
 Sender and receiver have public and private keys.
 Public to encrypt a message, private to decrypt
 Slower than symmetric, secret key (100 to 1000)
Public Key Algorithms
RSA - (Rivest, Shamir, & Adleman) works with one way
math with large prime numbers (aka trap door
functions). Can be used for encryption, key exchange
and digital signatures)
Diffie Hellman Key exchange - about exchanging
secret keys over an insecure medium without exposing
the keys
el Gamal – works with discrete logarithms, based on
Diffie Hellman
DSA Digital Signature Algorithm – the US Government
Equivalent of the RSA algorithm
ECC - Elliptic Curve Cryptosystem - mathematical properties
of elliptical curves, IT REQUIRES FEWER RESOURCES THAN
RSA. Used in low power systems (mobile phones etc.)
BOTH a hashing and an asymmetric key algorithm; MD5 & ECC
Hybrid Cryptography (266)
Uses both asymmetrical and symmetrical encryption
- asymmetrical for key exchange
- symmetrical for the bulk - thus it is fast
- example: SSL, PGP, IPSEC S/MIME
Message Digest – summaries of a message’s content (not unlike a
file checksum) produced by a hashing algorithm, checksum?
MAC – Message Authentication Code
Security Assertion Markup Language (SAML) (271)
SAML is an XML-based convention for the organization and
exchange of communication authentication and authorization details
between security domains, often over web protocols. SAML is often
used to provide a web-based SSO (single sign-on) solution. If an
attacker can falsify SAML communications or steal a visitor’s access
token, they may be able to bypass authentication and gain access
SAML is a common protocol used for SSO on the Internet.
*Best choice to support a federated identity management system,
Does not have a security mode and relies on TLS and digital
signatures
If home organization offline implement a cloud based system
User training about SSO directs a good idea
Service Provisioning Markup Language (SPML)
(271)
Allow platforms to generate and respond to provisioning requests It is
a newer framework based on XML but specifically designed for
exchanging user information for federated identity single sign-on
purposes. It is based on the Directory Service Markup Language
(DSML), which can display LDAP-based directory service information
in an XML format.
Cyber-Physical Systems (CPS) (278)
Smart networked systems with embedded sensors, processors, and
actuators that are designed to sense and interact with the physical
world.
History of Crypto (284)
Hieroglyphics - sacred carvings
Scythe - wound papyrus around a wooden rod to see message
Substitution character- shifting 3 character (C3) for example in the
one (mono-alphabet) alphabet system
Cipher disks - 2 rotating disks with an alphabet around it
Jefferson disks - 26 disks that cipher text using an alignment bar
Unix - uses rot 13 rotate 13 places in the alphabet
Hagelin machine (M-209) - mechanical cryptographic machine
Enigma - poly-alphabetic substitution cipher machine
SABSA – Sherwood Applied business security architecture chain of
traceability, 6 layers
TOGAF – method step by step process and framework. These are the
tools to go forward FRAMEWORK AND METHOD
Zachman Framework – common context to understand a complex
architecture, communication and collaboration

14. PKI (289)
Understand the public key infrastructure (PKI). In the public key
infrastructure, certificate authorities (CAs) generate digital
certificates containing the public keys of system users. Users then
distribute these certificates to people with whom they want to
communicate. Certificate recipients verify a certificate using the
CA’s public key.
X.509 standard = PKI.
Serial number, owner, issuer name
Integrity (hash code and message digest), access control,
confidentiality (by encryption), authentication (digital certificates)
and non-repudiation (digital signatures)
issuer signs a certificate
If you only want to check if a mail is not altered: use digital
signature! Proves that the signature was provided by the intended
signer
trust anchor = public key that has been verified and that’s trusted
Digital signatures (296)
- no modifications allowed
- identity can be derived
- Works with a one-way hash (message digest), like SHA-
1 (512 bit blocks) or MD5 (128 bits digest) or HMAC
that uses a key
- Acceptable encryption algorithms choices – DSA, RSA,
ECDSA
HASH it and ENCRYPT message digest
Correct way to create and use a digital signature – hash the
document, encrypt only the hash with the sender’s private key, send
both the plain text document and the encrypted hash to recipient.
Email Security (297)
S/Mime - Confidentiality (encryption) Integrity (using PKCS X.509
PKI) and non-rep through signed message digests
PEM - Privacy Enhanced Email Encryption (AES) PKI X.509 and
RSA
Message Security protocol - Military X.400. Sign, Encrypt, Hash
Pretty Good Privacy - uses IDEA and RSA instead
Digital Certificates
contain specific identifying information and their construction is
governed by international standard (X.509), creation and validation
of digital certificates
Who signs a digital certificate – someone vouching for person not
the person.
CRLs - Certificate Revocation Lists are maintained by the various
certificate authorities and contain the serial numbers of certificates
that have been issued by a CA and have been revoked along with
the date and time the revocation went into effect.
Hashing (300)
ATTACK HASH BY BRUTE FORCE and dictionary
CRYPTANALYSIS
Basic Technique –
BRUTE Force will win with no constraints
input of any length and generate a fixed length output
Hash algorithms (Message Digests)
Requirements for HASH
- works on non-fixed length input
- must be relatively easy to compute for any input
- function must be one way
- function must be one way
Most used are MD5 (message Digest 128 bits) and SHA1
(signature hashing algorithm 160 bits)
MD5 – hashing algorithm. It also processes 512-bit blocks of
the message, but it uses four distinct rounds of computation to
produce a digest of the same length as the MD2 and MD4
algorithms (128 bits). MD5 has the same padding requirements
as MD4— the message length must be 64 bits less than a
multiple of 512 bits. MD5 implements additional security
features that reduce the speed of message digest production
significantly. Unfortunately, recent cryptanalytic attacks
demonstrated that the MD5 protocol is subject to collisions,
preventing its use for ensuring message integrity. it is possible
to create two digital certificates from different public keys that
have the same MD5 hash.
CRL’s of a PKI environment holds serial numbers
SHA1 - was designed by NIST and NSA to be used in digital
signatures
Standard is SHA3 most still use SHA2
root Certificate Authority (CA) must certify its own public key
pair
cross certification does not check authenticity of the certificates
in the certificates path; MD5 not good for securing passwords
Traffic analysis - inference of information from analysis of
traffic
Traffic padding - generation of spurious data units
Collision - Same message digest as a result of hashing.
Cryptographic Attacks
Ciphertext Only - attacker sees only the ciphertext, one of the
most difficult
Known Plaintext - attacker knowns both cipher and plaintext
Chosen Plaintext - offline attack (attacker prepares list of
plaintexts) -lunch box attack
online attack - (attacker chooses the plaintext based on the
ciphertext already received)
Chosen ciphertext - attacker chooses both the plaintext values
and the ciphertext values, cherry picking, feed info and based
on what you learned get key
Birthday Attack - Collisions appear much fasters, birthdays
match
POODLE - (Padding Oracle on Downgraded Legacy
Encryption) attack helped force the movement from SSL 3.0 to
TLS because it allowed attackers to easily access SSL
encrypted messages.
CRIME/BEAST - earlier attacks against SSL
STUXNET – worm aimed at Iranian nuclear capability
Other things to know
Objects of sensitivity labels are: single classification and component set
‘dominate’ in access control means access to higher or equal access
class
Security perimeter = line between TCB and outside
Validating TCB = formal for system integrity
Digital Rights Management (298)
uses encryption to enforce copyright restrictions on digital media.
serves to bring U.S. copyright law into compliance with terms of two
World Intellectual Property Organization (WIPO) treaties. The first major
provision of the DMCA is the prohibition of attempts to circumvent
copyright protection mechanisms placed on a protected work by the
copyright holder.
Skip - s a distribution protocol
RC4 - is a stream cipher
RC5 and RC6 are block cipher
FIPS 140 hardware and software requirements
Applets
Applets – these code objects are sent from a server to a client to
perform some action. In fact, applets are actually self-contained
miniature programs that execute independently of the server that sent
them.
Java applets – are simply short Java programs transmitted over the
Internet to perform operations on a remote system.
ActiveX – controls are Microsoft’s answer to Sun’s Java applets.
Operate in a similar fashion, but they are implemented using a variety of
languages(C, C + +, Java). Two key distinctions between Java applets
and ActiveX controls. First, ActiveX controls use proprietary Microsoft
technology and, therefore, can execute only on systems running
Microsoft browsers. Second, ActiveX controls are not subject to the
sandbox restrictions placed on Java applets. They have full access to the
Windows operating environment and can perform a number of privileged
actions.

15. Threats (317) Electrical Power (319) Fire (328)
Prevention
Training construction, supplies, reach ability
Detection
Manual: pull boxes
Automatic dial- up: Fire department, aka Auxiliary station alarm
Detectors:
- Smoke activated,
- Heat activated,
- Flame activated(infrared)
Classes
A Common WATER, SODA ACID (take away temp)
B Liquids----GAS/CO2, SODA ACID (takes away fuel)
C Electrical-----GAS/CO2 (displace O2)
D Metals----DRY POWDER
WATER suppress temperature
SODA ACID reduces fuel supply
CO2 reduces oxygen
HALON chemical reaction
Fire distinguishers should be 50 feet from equipment and toward the
door
Heat
Computer hardware 175F (80c)
Magnetic storage 100F (37c)
Paper 350F (176c)
Sprinklers Wet pipe always contains water, fuse nozzle melts at
165F
Dry pipe water in tank until clapper valve releases
it – only begins to fill when triggered by excessive
heat
Douches, large amounts of water/foam Pre-action
(MOST RECOMMENDED)
water in tanks, first water in pipes when air is lost when heat is
detected, then thermal link in nozzle melts to release water
HALON
1211 = portable
1301 = flooding
FM-200 most common replacement (others: CEA, NAF, FE-13
Argon INERGEN Low Pressure Water)
RESISTANCE
Walls: 1 hour fire rating and adjacent room with paper 2 hours
Security Capabilities of Information Systems
TPM - Trusted Platform Module is both a specification for a
cryptoprocessor chip on a mainboard and the general name for
implementation of the specification. A TPM chip is used to store and
process cryptographic keys for the purposes of a hardware
supported/ implemented hard drive encryption system. Generally, a
hardware implementation, rather than a software-only
implementation of hard drive encryption, is considered to be more
secure.
Constrained or restricted interface - is implemented within an
application to restrict what users can do or see based on their
privileges.
Natural environment threats (earthquakes floods, tornadoes)
Supply system threats (power communications water gas)
Manmade threats (vandalism, fraud, theft)
Politically motivated threats (terroristic attacks, riots bombings)
Life safety takes precedence!!
Layered defense model: all physical controls should be work
together in a tiered architecture (stacked layers)
Vulnerability=weakness threat = someone will identify the
weakness and use it against you and becomes the threat agent
Risk analysis-->Acceptable risk level -->baseline>implement
countermeasures
Major sources:
Temperature, Gases, Liquids
Organism: viruses, bacteria
Projectiles: cars, trucks, bullets
Movement: Collapse, earthquakes Energy: radio, radiation
Nice to Know
SMSD - Switched Multimegabit Data Service, a connectionless
packet-switching technology. Often, SMDS is used to connect
multiple LANs to form a metropolitan area network (MAN) or a
WAN. SMDS was often a preferred connection mechanism for
linking remote LANs that communicate infrequently, a forerunner
to ATM because of the similar technologies used.
DHCP Snooping – used to shield networks from unauthenticated
DHCP clients
ICS - industrial control system is a form of computer-management
device that controls industrial processes and machines. ICSs are
used across a wide range of industries, including manufacturing,
fabrication, electricity generation and distribution, water
distribution, sewage processing, and oil refining.
There are several forms of ICS, including distributed control
systems (DCSs), programmable logic controllers (PLCs), and
(SCADA).
SCADA - supervisory control and data acquisition
Kerchoff principle - a cryptographic system should be secure
even if everything about the system, except the key, is public
knowledge.
Input and Parameter Checking - limit how much data can be
proffered as input. Proper data validation is the only way to do
away with buffer overflows.
Side-channel attack - is a passive, noninvasive attack intended to
observe the operation of a device. When the attack is successful,
the attacker is able to learn valuable information contained within
the smartcard, such as an encryption key.
Trust – ()
Transitive Trust – Transitive trust is the concept that if A trusts B
and B trusts C, then A inherits trust of C through the transitive
property— which works like it would in a mathematical equation: if
a = b, and b = c, then a = c. A transitive trust extends the trust
relationship between the two security domains to all of their
subdomains. Within the context of least privilege, it’s important to
examine these trust relationships.
Nontransitive trust - exists between two security domains, which
could be within the same organization or between different
organizations. It allows subjects in one domain to access objects
in the other domain. A nontransitive trust enforces the principle of
least privilege and grants the trust to a single domain at a time.
Interference
Clean=no interference
Line noise: can be EMI or RFI
Transient: short duration of noise
Counter: voltage regulators, grounding/shielding and line
conditioners
EMI
COMMON mode noise: difference between hot and ground
Traverse mode noise: difference between hot and neutral
HINT: common--grounds
Excesses
SPIKE: short high voltage
SURGE: long high voltage
Counter: surge protector
Losses
FAULT: short outage
BLACKOUT: long outage
Counter: Backup power
Long term: Backup Power generator
Short term: UPS
-Online uses ac line voltage to charge batteries, power always
though UPS
-Standby UPS, inactive till power down
Degradation
SAG/DIP: short low voltage
BROWNOUT: long low voltage
Counter: constant voltage transformers
Other
Inrush Surge: surge of current required to power on devices
Common-mode noise: radiation from hot and ground wires
Traverse-mode noise: radiation from hot and neutral wires.
Static charge
40 volts sensitive circuits
1000 scramble monitor display
1500 disk drive data loss
2000 system shutdown
4000 Printer Jam
17000 Permanent chip damage
Humidity (326)
<40% static electricity up to 20.000 volts
NORMAL 40-60% up to 4000 volts
>60% corrosion
Tempest
shielding and other emanations-reducing mechanism, a
technology that allows the electronic emanations that every
monitor produces (known as Van Eck radiation) to be read from a
distance (this process is known as Van Eck phreaking)
White noise - broadcasting false traffic at all times to mask and
hide the presence of real emanations.
Faraday cage - a box, mobile room, or entire building designed
with an external metal skin, often a wire mesh that fully surrounds
an area on all sides (in other words, front, back, left, right, top, and
bottom). This metal skin acts as an EMI absorbing capacitor
control zone - the implementation of either a Faraday cage or
white noise generation or both to protect a specific area in an
environment

16. Network Layers OSI MODEL (347)
(later succeeded by TCP/IP)
HINT: All People Seems to Need Data Processing
It encapsulates data when going through the layers
Application – layer 7 – C, AU, I, NR
FTP, SNMP, TELNET, TFTP, SMTP, HTTP, NNTP, CDP,
GOPHER, SMB, NDS, AFP, SAP, NCP, SET, LDAP. Technology:
Gateways. User data
Secure HTTP, S-HTTP - encrypting HTTP documents. Also
overtaken by SSL
SSL, Secure Socket Layer - encryption technology to provide
secure transactions like credit card numbers exchange. Two
layered: SSL record protocol and handshake protocol. Same as
SSH it uses symmetric encryption for private connections and
asymmetric or public key cryptography for peer authentication.
Secure Electronic Transaction (SET) - authentication for credit
card transactions. Overtaken by SSL
Also uses message authentication code for integrity checking.
Telnet - terminal emulation enables user to access resources on
another machine. Port 23
FTP, File Transfer Protocol - for file transfers. Cannot execute
remote files as programs. Authentication. Port 20 and 21
TFTP, Trivial File Transfer Protocol - stripped down, can only
send/receive but not browse directories. No authentication thus
insecure. Port 69
SMTP, Simple Mail Transfer protocol - email queuing. Port 25
SNMP, Simple Networking Management Protocol collection of
network information by polling the devices from a management
station. Sends out alerts –called traps- to an database called
Management Information Bases (MIBs)
Presentation – layer 6 – C, AU, Encryption
Translations like EBCDIC/ANSI; compression/decompression and
encryption/decryption. Uses a common format to represent data,
Standards like JPEG, TIFF, MID, HTML; Technology: Gateway.
Messages
Session -layer 5 -- None
Inter-host communication, logical persistent connection between
peer hosts, a conversation, simplex, half duplex, full duplex.
Protocols as NSF, SQL, RADIUS, and RPC. Protocols: PAP,
PPTP, RPC Technology: Gateway
PAP – Password Authentication Protocol
PPTP – Point-to-Point Tunneling Protocol
RPC – Remote Procedure Call Protocol
NFS, Network File System - protocol that supports file sharing
between two different file systems
NetBIOS –
SSL/TLS -
Network Layers OSI MODEL (cont.) (347)
Transport – layer 4 – C, AU, I
End-to-end data transfer services and reliability. Technology:
Gateways. Segmentation, sequencing, and error checking at this
layer. Datagrams
TCP Three-way Handshake – SYN, SYN-/ACK, ACK
Protocols: TCP, UDP, SSL, SSH-2, SPX, NetBIOS, ATP
Secure Shell (SSH-2) - Authentication, compression,
confidentiality and integrity.
Uses RSA certificates for authentication and triple DES for
encryption
TCP, Transmission control protocol – reliable, sequences and
works with acknowledgements. Provides a manageable data flow
to avoid congestions overloading and data loss. (Like having a
telephone conversation with someone). Connection Oriented. User
UDP, Datagram protocol – unreliable, scaled down version of
TCP, no error correction, no sequencing. Less overhead. (Like
sending a letter to someone). Connectionless.
Network – layer 3 – C, AU, I
Path selection and logical/network addressing.
Technology: Virtual circuits (ATM), routers. Packets
Addressing – IP uses the destination IP to transmit packets thru
networks until delivered
Fragmentation – IP will subdivide a packet if its size is greater
than the maximum allowed on a local network
Message routing, error detection and control of node data are
managed. IP, IPSEC, ICMP, BGP, OSPF, RIP, BOOTP, DHCP,
ZIP, DDP, X.25, NAT and IGMP
OSPF Open Shortest Path First – routing protocol short path
SKIP, Simple Key Management for Internet Protocols - provides
high availability in encrypted sessions to protect against crashes.
Exchanges keys on a session by session basis.
ARP, Address resolution protocol - Used to match an IP
address to a hardware MAC address. ARP sends out broadcast to
a network node to reply with its hardware address. It stores the
address in a dynamic table for the duration of the session, so
ARP requests are only sent the first time
ICMP, Internet control message protocol - sends messages
between network nodes regarding the health of the network. Also
informs about rerouting in case of errors. Utility PING uses ICMP
messages to check physical connectivity of the network machines
IPX, Appletalk, and NetBEUI are non-IP protocols.
IP, Internet protocol - all hosts have an IP address. Each data
packet has an IP address of sender and recipient. Routing in
network is based upon these addresses. Datagram service is
considered unreliable because there’s no guarantee that the
packet will be delivered, not even that its delivered only once and
no guarantee that its delivered in the same sequence that its sent
32 bits long, IPv6 is 128 bits long
DHCP: Dynamic Host Configuration Protocol
BootP, Bootstrap Protocol when wireless workstation is on-lined
it sends out a BootP request with its MAC address to get an IP
address and the file from which it should boot. Replaced by DHCP
Network Layers OSI MODEL (cont.) (347)
Data Link – layer 2 - C
This layer deals with addressing physical hardware. FRAMES
Translates data into bits and formats them into data frames with
destination header and source address. Error detection via
checksums.
LLC, the Logical Link Control Sub layer - Flow control and error
notification
MAC: the Media Access Control layer - Physical addressing.
Concerns frames, logical topologies and MAC-addresses
Protocols: L2F, PPTP, L2TP, PPP, SLIP, ARP, RARP, SLARP,
IARP, SNAP, BAP, CHAP, LCP, LZS, MLP, Frame Relay, Annex
A, Annex D, HDLC, BPDU, LAPD, ISL, MAC,
Ethernet, Token Ring, FDDI
RARP, Reverse address resolution protocol - When a hardware
address is known but the IP address has to be found. (like an
diskless machine)
Switches, bridges, hardware addressing
Physical – layer 1 - C
Physical signaling. Coverts bits into voltages or light impulses.
Electrical, Hardware and software drivers are on this level. It sends
and receives bits.
Repeaters, hubs, cables, USB, DSL, ISDN, ATM
Physical topologies: BUS, MESH, STAR, TREE, RING
Network layers TCP/IP Model (353)
Developed by Department of Defense in the 1970s to support the
construction of the internet
HINT: AHIN
Application – layer 4 (Application/Presentation/Session)
Applications and processes that uses the network
Host-to-Host – Layer 3 (Transport)
End-to-end data delivery
Protocols: TCP and UDP
Internet – Layer 2 (corresponds to OSI network layer) Defines the
IP datagram and handles routing of data across networks
Protocols: IP, ARP, RARP, ICMP
Network access – Layer 1 (Data link, Physical)
Routines for accessing physical networks and the electrical
connection
LPD, Line printer daemon for printing and spooling
X Windows graphical user interface

17. Security Modes (used in MAC)
Dedicated security mode :
- All users can access all data.
- Clearance for all information.
- Need to know for ALL data system high security mode:
- All users can access some data, based on need to
know
- Clearance for all information
- Need to know for SOME data compartmented security
mode:
- All users can access some data, based on their need
to know and approval.
- Clearance for all information they access
- Need to know for SOME data
- Use of information labels
Multi-level:
- All users can access some data, based on their need
to know, approval and clearance.
- Clearance for all information they access
- Need to know for SOME data Others:
controlled type of multilevel security where a limited amount of
trust is placed in the system’s hardware/software along with
classification
limited access: minimum user clearance is not cleared and the
maximum data classification is unclassified but sensitive
Firewalls
A method of guarding a private network by analyzing the data
leaving and entering. Firewalls can also provide network address
translation, so the IP addresses of computers inside the firewall
stay hidden from view.
Packet-filtering firewalls (layer 3/4) - use rules based on a
packet’s source, destination, port or other basic information to
determine whether or not to allow it into the network.
Stateful packet filtering firewalls (layer 7) - have access to
information such as; conversation, look at state table and context
of packets; from which to make their decisions.
Application Proxy firewalls (layer 7) (3-7 actually)- which look
at content and can involve authentication and encryption, can be
more flexible and secure but also tend to be far slower.
Circuit level proxy (layer 5)- looks at header of packet only,
protects wide range of protocols and services than app-level proxy,
but as detailed a level of control. Basically once the circuit is
allowed all info is tunneled between the parties. Although firewalls
are difficult to configure correctly, they are a critical component of
network security.
SPF, Static Packet Firewall (layer 3) -
Wireless (364)
IEEE 802.15 is the standard for Bluetooth. IEEE 802.3 defines
Ethernet, 802.11 defines wireless networking, and 802.20 defines
LTE.
Amendment Speed Freq. Range Comp.
802.11 2 Mbps 2.4 GHz FHSS/DSSS
802.11a 54 Mbps 5 GHz 150 - OFD A
802.11b 11 Mbps 2.4 GHz 300 -
DSSSS
b/g/n
802.11g 54 Mbps 2.4 GHz 300 b/g/n
802.11n 200+
Mbps
2.4 or 5
GHz
300 a/b/g
802.11ac 1 Gbps 5 GHz 300 a/b/g
802.16 IEEE
802
WBA
802.11i AES CCMP WPA2
Security Enhancement Protocols
TELNET: Remote terminal access and Secure Telnet
REMOTE PROCEDURE CALL: Secure remote procedure call
(SRA)
SSH – Secure Shell over Telnet for remote server administration
via the command line

18. Netwok IPV4 (354)
TCPIP Classes
Class A network number values begin at 1 and end at 127
Class B network number values begin at 128 and end at 191
Class C network number values begin at 192 and end at 223
ISDN
BRI B-channel 64Kbps, D-channel 16Kbps
PRI B- and D-channels are 64Kbps
80211 has CSMA/CA as protocol. Can use DSSS and FHSS (ss
stands for spread spectrum)
802.11b uses only DSSS
Before a computer can communicate with the internet, it needs an
IP-address, a default gateway and a subnet mask
To connect multiple LAN segments you can use Bridges,
Switches and Routers
Fast Ethernet 100Base-TX has as characteristics: 100Mbps data
transmission, 1 pairs Cat5 UTP and max segment of 100 meters
(328 feet)
Unsubnetted netmask is shown as /24
Other word for DMZ is screened subnet
FTP, RLOGIN and TELNET never uses UDP but TCP
Attenuation - is a decrease in amplitude as a signal propagates
along a transmission medium
SSL session key length is from 40bit to 256 bit
The bridge connects multiple networks at the data link layer, while
router connects multiple networks at the network layer.
Data backups addresses availability, integrity and recovery but not
confidentiality
IP headers contain 32-bit addresses (in IPv4) and 128 in IPv6. In
an Ethernet LAN, however, addresses for attached devices are 48
bits long.
Subnet Masks
Class A 255.0.0.0
Class B 255.255.0.0
Class C 255.255.255.0
Types of Wireless Networks (364)
Uses the 802.11x specification to create a wireless LAN
Ad hoc Mode – directly connect two+ clients, no access point
Infrastructure Mode – connects endpoints to a central network,
not directly to each other, need access point and wireless clients
for IM mode wireless
Stand-alone Mode – isolated system
WEP – don’t use can be cracked in seconds, predecessor to WPA
and WPA2, confidentiality, uses RC4 for encryption, weakened by
use of RC4 use of common key and a limited number of
initialization vectors
WPA – uses TKIP for data encryption
WPA2 – based on 802.11i, uses AES, key management, reply
attack protection, and data integrity, most secure, CCMP included,
WPA2 ENTERPRISE Mode - uses RADIUS account lockout if a
password-cracker is used
TKIP – Temporal Key Integrity Protocol, uses RC4
LEAP – Lightweight Extensible Authentication Protocol, Cisco
proprietary protocol to handle problems with TKIP, security issues
don’t use. Provides reauthentication but was designed for WEP
TCP Ports
- TCP 20 & 21; TCP
- UDP 21; not used for any common file transfer protocol
- TCP 21 & UDP 21;
- TCP 22; SSH (SFTP operates oevr SSH)
- TCP 23; telnet: TCP 515; LPD - print
- TCP 25; SMTP (Simple Mail Transfer Protocol)
- TCP 53; DNS; TCP 110; POP3
- TCP 80; HTTP – no confidentiality
- TCP 143; IMAP (Internet Message Access Protocol)
- TCP 389; unsecure LDAP
- TCP 636; LDAP-S over SSL or TLS
- TCP 9100; network printers
- UDP 69; TFTP (Trivial FTP)
- 6000-6063; X Windows, Linux
- TCP 443; HTTPS – Nikto to scan
- TCP 445; Active Directory
- TCP; 1433; Microsoft SQL, Db
- TCP 1521; Oracle: TCP 3389; RDP
- TCP 3268/3269; global catalog (unsecure/secure)
- TCP/UDP; 137-139; NetBIOS services
Switched Networks (378)
Coaxial - many workstations, length. 1000Base-T – 100 M
Twisted pair to long. Cat 5 better than cat3 for
interference Fiber optics immune to EMI, can be broken
and high cost/expertise Topology failures
Ethernet twisted pair - more resistant than coaxial
Token Ring because a token is passed by every station, a NIC
that’s is set to wrong speed or error can take all network down
Fiber Distributed Data Interface - form of token ring that has
second ring that activates on error
Leased lines use multiple lines and/or multiple vendors
Frame Relay WAN - over a public switched network. High
Fault tolerance by relaying fault segments to working.
Speeds; T-1 – 1.544 Mbps, T-3 – 44,736 Mbps (45)
ATM – 155 Mbps, ISDN – 64 or 128 Mbps
CAT 3 UTP; 10 Mbps, CAT 5;100 Mbps CAT 5e/6 – 1,000 Mb
Email Security Solutions & Certs (368)
LDAP – Lightweight Directory Access Protocol, client/server based
directory query protocol loosely based upon X.500, commonly
manages user information, for accessing directory services and
manage certificates Ex. Active Directory, cn=ben+ou=sales
Zero or more, comma separated, no semi-colon, + to join
SASL – provides secure LDAP authentication
OpenLDAP – default, stores user PW in the clear
Client SSL Certificates – used to identify clients to servers via
SSL (client authentication)
S/MIME Certificates – used for signed and encrypted emails, can
form sign, and use as part of a SSO solution
MOSS – MIME Object Security Services, provides authentication,
confidentiality, integrity, and nonrepudiation
PEM – provides authentication, confidentiality, integrity, and
nonrepudiation
DKIM – Domain Keys Identified Mail, domain validation tool
OAuth – ability to access resources from another service
OpenID – paired with OAuth is a RESTful, JSON-based
authentication protocol can provide identity verification and basic
profile information, phishing attack possible by sending fake data
Security Perimeter (370)
The first line of protection between trusted and untrusted
networks. Generally includes a firewall and router that help filter
traffic. May also include proxies, IDSs, and IPSs.
Zero Day – application white list
Operations of Hardware (374)
Multiplexors- device that enables more than one signal to be
send out of one physical circuit
WAN switches - multi-port networking devices that are used in
carrier networks. Connect private data over public data by using
digital signals. Data link layer.
Access servers - server that provides dial-in and dial-out
connections to the network
Modems - transmits data over telephone lines
Channel Service Unit (CSU)/Data service unit (DSU) - digital
interface device used to terminate the physical interface on a DTE
device. They connect to the closest telephone company switch in a
central office (CO)
LAN Devices (374)
Repeaters - amplify data signals to extend range (physical)
HUBS - connect multiple LAN devices into a concentrator. Is
actually a multi-port repeater (physical)
Bridges - Forwards data to all other network segments if it’s not
on the local segment. Operates at level 2 (thus no IP-addressing)
Switches - Will only send data to the specific destination address.
It’s actually a multi-port bridge. (Data link)
Routers - opens up data packet, reads hardware or network
address and then forwards it to the correct network
Gateway - software that acts as access point to another network
or device that translates between different protocols
LAN extenders - remote access, multi layer switch that connects
LANs over a WAN